Thanks for the report. Setting country=us does not currently work for you because this API parameter requires you to set token_auth (see doc)

To solve this issue, maybe we could simply make country/region/lat/long/city API parameter not require anymore token_auth to be set. This would make sense as part of our previous work in #6109#6407 and #6110

An override value for the Accept-Language HTTP header field. This value is used to detect the visitor's country if GeoIP is not enabled.

^ Language doesn't state to require a token.

Nowhere does it state that the country parameter is used to determine the location (although somewhat expectable), it says everywhere it's based on the language and that doesn't require an api token. API DOCs & Piwik GeoLocation settings say that.

Regarding your suggestion:
My first thought was that this makes it open for abuse. People could set random values.
But is this really an issue, let's say people are abusing it and the dev notices, when then GeoLocation is changed to a different type, is that then overriding the country parameter in the Piwik console?